| 제목 | OpenStatus HQ OpenStatus 20260314 DOM-Based XSS, Open Redirect |
|---|
| 설명 | A DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in OpenStatus's onboarding endpoint. The application improperly trusts a URL parameter (callbackUrl), which is passed to router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim.
---
Note to moderator: the PR was merged without notifying the wider user base via a security disclosure. While a fix is merged, it is reasonable that users self-hosting the product are unaware of the vulnerability. As the project apparently does not seem to use any kind of semantic versioning, I have used the date the PR was merged as the version. I have attempted to reach out to the vendor regarding a GitHub security advisory, but they have not responded after a week. Let me know if you require screenshots/evidence of the CVD email chain (I am unable to upload documents).
CVD: https://gist.github.com/TrebledJ/ab83abb1ca7ff6c1f39e16a37020f323
PR Fix: https://github.com/openstatusHQ/openstatus/pull/1980
Vendor: https://github.com/openstatusHQ
Product: https://github.com/openstatusHQ/openstatus
|
|---|
| 원천 | ⚠️ https://gist.github.com/TrebledJ/ab83abb1ca7ff6c1f39e16a37020f323 |
|---|
| 사용자 | trebledj (UID 94356) |
|---|
| 제출 | 2026. 03. 24. PM 05:21 (17 날 ago) |
|---|
| 모더레이션 | 2026. 04. 08. PM 04:56 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 356245 [openstatusHQ openstatus 까지 1b678e71a85961ae319cbb214a8eae634059330c Onboarding Endpoint client.tsx callbackURL 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|